I greatly appreciate all of your Synology videos. You speak so clearly and calmly...you have helped me so much during my first Synology configuration. Thank you!!
Bellissimo video! Finalmente ho risolto il mio problema di attaccchi al mio NAS da varie parti del mondo. Fino a qualche settimana fa avevo messaggi continui da parte del mio NAS di accessi non desiderati con i relativi indirizzi IP, dopo aver impostato il firewall, seguendo il tuo video, i messaggi sono completamente spariti!!! FINALMENTE!!! Seguo sempre i tuoi video molto semplici e professionali, continua così perché sei unico! Non voglio tradurre il testo con google perché voglio che si capisca che ti seguo dall'Italia... Grazie
Fantastic Tutorial Will. I still don't fully understand the numbers, but I used the ones you provided and tested it with my phone. Works great. A lot less complicated than my old one.
Will I discovered that with DSM 7.2 if you lock yourself out, it goes back to a previous firewall configuration to avoid it, and a pop-up window will even warn you about it!
Again, great video. While creating rules, you must select the interface(s) to apply them to. If I want to block DSM from ALL over the world except the US, I will use your example and applied to my BONDed interface. Now, I as travel, I want to be able to access DSM from ALL over the world as long as I connect to DSM's VPN Server. I guess I will have then one restrictive rule under BOND 1 and one permissive one (or at least no one blocking) for DSM over the VPN interface. Is that correct?
Great video Will! Thanks for showing us how to setup firewall security in an understandable way. One question, when using a Tailscale VPN, it assigns different IP addresses to each device that are not part of the three private networks you discussed. Should we add the Tailscale IP to the firewall and allow it? I have yet to setup my Synology firewall yet with All Denied yet so want to be sure that if I did, my Tailscale network would still work. Thanks again! 👍🏻👍🏻
Ah, so with TailScale I think the traffic actually comes in via the local app (does not act like a normal VPN) so you may not have to do anything. But if it does get blocked you can open up the CGNAT subnet the same way you did the other 3. Just with the following info: IP: 100.64.0.0 Subnet mask: 255.192.0.0
This helped me. I got someone (a bot) who kept trying to login onto the disabled admin account every 2 minutes. It was really annoying. After setting the firewall (and changing the standard dsm ports) it finally stopped. B.T.W. autoblock didn't work, the bot was using different ip's every time.
How does firewall work with reverse proxy? I want to allow access to certain docker apps like Jellyfin when accessing from reverse proxy. But adding port 8096 as a rule wont work, instead its port 443. However then it allow access to all my other docker apps. Is there a way to limit firewall access to only one docker app with reverse proxy?
How would you organize the following: clients (win/linux) backup data onto a smb share on a synology NAS. Now the data is backuped but not save against viruses that encrypt data because the share is available (I found no was to set security setting, that the clients can write data but not change or delete it). So I would backup this NAS-backup share with e.g. HyperBackup to another NAS - now this backup is absolutely safe. You see another, perhaps easier way?
Hi, I am trying to backup files to my Synology NAS from my computer using Acronis. If I leave fire wall off it works if I turn firewall on it doesn't. Any idea of the rules I need. Thank you.
Very timely Will; many thanks. I was just going through my Synology router and DS920+ last night and considering exactly this. On the NAS, there is a section : Control Panel \ Security \ Protection \ Allow/Block List that presumably provides at least some additional protection without setting up the firewall ?
It allows you to block traffic from a specific ip address. I have a limit on the number of login attempts and then a block is set up. I have had occasions of someone with a Russian ip address trying to access my NAS and so added them to the block list on my other NAS. I once blocked myself as I was using the wrong password and had to go in from another device and remove myself from the list!
Yes! I will always add autoblock to any network and any NAS. This prevents people just brute force password guessing. Even if you set it to 100 every 10 min you will keep machines from brute forcing. Autoblock can be used in tandem with Firewall
Synology is actually warning you if you're about to lock yourself out using the firewall so I don't even think it's possible. I have a request: Could you please make a guide on how to enable the firewall log in iptables and then how to send that log to a syslog server? I'm struggling with my poor Linux knowledge.
the last rule doesnt many anything unless you directly expose that NAS to a public ip address. the reason is NAT, your NAS will always see any traffic from outside coming from your main router's ip address. so the proper way to block connections from internet is basically add your router's IP address as your block rule if your aim is block any connection attempt on your NAS that is coming outside your local network,
This is not true. The process you are talking about where the traffic looks like it is coming from the router is NAT Masquerading. This is a very rare and niche feature that 99.9% of routers do not support. Port forwarding will show the public IP of the computer connecting to the NAS. You can try for yourself. Open up 5001 to the NAS and connect from your phone off WiFi. You will see your phones public in the connection logs
SpaceRex is the hero of Synology. They really should pay this guy. He's bringing lots of value!
Your channel is one of my go-to places when I need help or info on my NAS.
Thanks man!
I greatly appreciate all of your Synology videos. You speak so clearly and calmly...you have helped me so much during my first Synology configuration. Thank you!!
Bellissimo video! Finalmente ho risolto il mio problema di attaccchi al mio NAS da varie parti del mondo. Fino a qualche settimana fa avevo messaggi continui da parte del mio NAS di accessi non desiderati con i relativi indirizzi IP, dopo aver impostato il firewall, seguendo il tuo video, i messaggi sono completamente spariti!!! FINALMENTE!!! Seguo sempre i tuoi video molto semplici e professionali, continua così perché sei unico! Non voglio tradurre il testo con google perché voglio che si capisca che ti seguo dall'Italia... Grazie
Great tutorial, Will! Excellent information. Thanks again buddy! 😊
As you mention during the video, another video talking about network and subnet and would be great
It's really what I was looking for, thanks SpaceRex.🙏
Very useful, thank you for uploading! Now I have to reconfigure my NASes ;-)
Greetings from Germany!
This is exactly what I was looking for. Thanks, Will!
Fantastic Tutorial Will. I still don't fully understand the numbers, but I used the ones you provided and tested it with my phone. Works great. A lot less complicated than my old one.
Could not have come at a better time, Thankyou.
Really great video! Your channel has always been very helpful and I want to thank you for all of your hard work. Keep it up!
Thanks, Will. This is very useful information and you explained it well.
Will I discovered that with DSM 7.2 if you lock yourself out, it goes back to a previous firewall configuration to avoid it, and a pop-up window will even warn you about it!
Thats quite useful!
The last version of 7.1 prior to 7.2 also does this. Very useful indeed!
very very VERY usefull and well explained. Thanks and salute from italy
"Hey", very good video. Tks.
Again, great video. While creating rules, you must select the interface(s) to apply them to. If I want to block DSM from ALL over the world except the US, I will use your example and applied to my BONDed interface. Now, I as travel, I want to be able to access DSM from ALL over the world as long as I connect to DSM's VPN Server. I guess I will have then one restrictive rule under BOND 1 and one permissive one (or at least no one blocking) for DSM over the VPN interface.
Is that correct?
Great guide, helped me a lot. thanks!
Timely and simple. Thanks
Great video Will! Thanks for showing us how to setup firewall security in an understandable way. One question, when using a Tailscale VPN, it assigns different IP addresses to each device that are not part of the three private networks you discussed. Should we add the Tailscale IP to the firewall and allow it? I have yet to setup my Synology firewall yet with All Denied yet so want to be sure that if I did, my Tailscale network would still work. Thanks again! 👍🏻👍🏻
Ah, so with TailScale I think the traffic actually comes in via the local app (does not act like a normal VPN) so you may not have to do anything. But if it does get blocked you can open up the CGNAT subnet the same way you did the other 3. Just with the following info:
IP: 100.64.0.0
Subnet mask: 255.192.0.0
@@SpaceRexWill Great! Thank you! Since my Tailscale hands out IP’s with different second octets, would it be? …
IP: 100.0.0.0
Subnet Mask: 255.0.0.0
great tutorial, very helpful, Thanks a lot
Thank you! What about IPv6? Just had a look on my own NAS and it only seems to have options for IPv4.
I have not dealt with IPv6 too much, so I can’t be too much help!
This helped me. I got someone (a bot) who kept trying to login onto the disabled admin account every 2 minutes. It was really annoying. After setting the firewall (and changing the standard dsm ports) it finally stopped. B.T.W. autoblock didn't work, the bot was using different ip's every time.
I have the same issue, how did you make that change?
@@alanstei5680 search for DSM Port in Settings. Mind you that you wil have to change portforwarding on your router too if you have that set up.
Hello, Do you have a video where you show how to configure (CAPTCHA) for entering Synology nas??
How does firewall work with reverse proxy? I want to allow access to certain docker apps like Jellyfin when accessing from reverse proxy. But adding port 8096 as a rule wont work, instead its port 443. However then it allow access to all my other docker apps. Is there a way to limit firewall access to only one docker app with reverse proxy?
How would you organize the following: clients (win/linux) backup data onto a smb share on a synology NAS. Now the data is backuped but not save against viruses that encrypt data because the share is available (I found no was to set security setting, that the clients can write data but not change or delete it). So I would backup this NAS-backup share with e.g. HyperBackup to another NAS - now this backup is absolutely safe.
You see another, perhaps easier way?
i get an error "failed to load profile data" and can't add any rules. any idea how to correct it?
I have a Synology router as well as a Synology NAS, would you say that the same firewall rules can be used for the router?
The synology Firewall does not work. I block ALL IPS but my LAN and My friend can still access my nas??? Please explain
Is your Time machine backup video from 3 years ago still valid since a lot has changed with new DSM versions? If so, maybe a new video on this topic?
Hi, I am trying to backup files to my Synology NAS from my computer using Acronis. If I leave fire wall off it works if I turn firewall on it doesn't. Any idea of the rules I need. Thank you.
Ah found it ty.
If i want to allow access to Plex remotely, should i set allow "custom" port in the firewall to 32400?
Great tutorial but my Firewall is now greyed out and i cannot access at all. Please help with firewall problems.
Thanks!
Very timely Will; many thanks. I was just going through my Synology router and DS920+ last night and considering exactly this.
On the NAS, there is a section : Control Panel \ Security \ Protection \ Allow/Block List that presumably provides at least some additional protection without setting up the firewall ?
It allows you to block traffic from a specific ip address. I have a limit on the number of login attempts and then a block is set up. I have had occasions of someone with a Russian ip address trying to access my NAS and so added them to the block list on my other NAS. I once blocked myself as I was using the wrong password and had to go in from another device and remove myself from the list!
Yes! I will always add autoblock to any network and any NAS. This prevents people just brute force password guessing. Even if you set it to 100 every 10 min you will keep machines from brute forcing.
Autoblock can be used in tandem with Firewall
@@SpaceRexWill The Allow/Block list is just below Auto block. They are very different settings.
@@davewhite7182 The Allow/Block list is just below Auto block. They are very different settings.
Ah when a device is auto blocked it’s put in the block list. But if something is in the allow list it will never get blocked
the Synology has a console for watch the firewall logs?
Synology is actually warning you if you're about to lock yourself out using the firewall so I don't even think it's possible. I have a request: Could you please make a guide on how to enable the firewall log in iptables and then how to send that log to a syslog server? I'm struggling with my poor Linux knowledge.
What is a docker?
My conclusion, as there is a good firewall in my router, I will stick to your first advice and not set this up. Thanks again.
Would it make sense to apply the same LAN IP configuration on your router?
Your router likely is already doing this
the last rule doesnt many anything unless you directly expose that NAS to a public ip address.
the reason is NAT, your NAS will always see any traffic from outside coming from your main router's ip address.
so the proper way to block connections from internet is basically add your router's IP address as your block rule if your aim is block any connection attempt on your NAS that is coming outside your local network,
This is not true.
The process you are talking about where the traffic looks like it is coming from the router is NAT Masquerading. This is a very rare and niche feature that 99.9% of routers do not support. Port forwarding will show the public IP of the computer connecting to the NAS.
You can try for yourself. Open up 5001 to the NAS and connect from your phone off WiFi. You will see your phones public in the connection logs